mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-11-25 20:11:40 +01:00
Expanded filter of CBC ciphers to flag for the Terrapin vulnerability.
This commit is contained in:
parent
164356e776
commit
44393c56b3
@ -178,6 +178,9 @@ For convenience, a web front-end on top of the command-line tool is available at
|
|||||||
|
|
||||||
## ChangeLog
|
## ChangeLog
|
||||||
|
|
||||||
|
### v3.2.0 (???)
|
||||||
|
- Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. It now includes more rarely found ciphers.
|
||||||
|
|
||||||
### v3.1.0 (2023-12-20)
|
### v3.1.0 (2023-12-20)
|
||||||
- Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)).
|
- Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)).
|
||||||
- Dropped support for Python 3.7 (EOL was reached in June 2023).
|
- Dropped support for Python 3.7 (EOL was reached in June 2023).
|
||||||
|
@ -491,7 +491,7 @@ def post_process_findings(banner: Optional[Banner], algs: Algorithms, client_aud
|
|||||||
if algs.ssh2kex is not None:
|
if algs.ssh2kex is not None:
|
||||||
ciphers_supported = algs.ssh2kex.client.encryption if client_audit else algs.ssh2kex.server.encryption
|
ciphers_supported = algs.ssh2kex.client.encryption if client_audit else algs.ssh2kex.server.encryption
|
||||||
for cipher in ciphers_supported:
|
for cipher in ciphers_supported:
|
||||||
if cipher.endswith("-cbc"):
|
if cipher.endswith("-cbc") or cipher.endswith("-cbc@openssh.org") or cipher.endswith("-cbc@ssh.com") or cipher == "rijndael-cbc@lysator.liu.se":
|
||||||
ret.append(cipher)
|
ret.append(cipher)
|
||||||
|
|
||||||
return ret
|
return ret
|
||||||
@ -501,7 +501,7 @@ def post_process_findings(banner: Optional[Banner], algs: Algorithms, client_aud
|
|||||||
ret = []
|
ret = []
|
||||||
|
|
||||||
for cipher in db["enc"]:
|
for cipher in db["enc"]:
|
||||||
if cipher.endswith("-cbc") and cipher not in _get_cbc_ciphers_enabled(algs):
|
if (cipher.endswith("-cbc") or cipher.endswith("-cbc@openssh.org") or cipher.endswith("-cbc@ssh.com") or cipher == "rijndael-cbc@lysator.liu.se") and cipher not in _get_cbc_ciphers_enabled(algs):
|
||||||
ret.append(cipher)
|
ret.append(cipher)
|
||||||
|
|
||||||
return ret
|
return ret
|
||||||
|
Loading…
Reference in New Issue
Block a user